summaryrefslogtreecommitdiffstats
path: root/usr.sbin/httpd/src/modules/ssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* this commit is really florian@'s, since he's the one who made removalhenning2014-04-2236-19663/+0
| | | | | | | | of our forked apache possible by his work on nginx and slowcgi, but he doesn't want it - so it is my pleasure to tedu it. I spent so much work on chroot in it 10 years ago - and am very happy to see it go now, nginx is a far better choice today. Bye bye, Apache, won't miss you.
* Disable SSL compression in order to mitigate CRIME attacks. Addjsing2013-07-164-5/+23
| | | | | | | an SSLCompression option so that it can be turned back on, however on this is currently a no-op due to the compile options for libssl. Requested by and ok djm@
* Enable ECDHE support in httpd via a SSLECDHCurve option. This specifies thejsing2013-07-164-4/+47
| | | | | | | | named curve to use when generating ephemeral EC keys for an ECDHE-based cipher suite, or can be set to `none' to disable. The default is to use a prime256v1 curve. yay^Wok djm@
* Define HonorCipherOrder as a FLAG (rather than as a TAKE1), so that itjsing2013-07-165-18/+19
| | | | | | | works correctly as a boolean on/off flag. While here, rename the variable so that it is consistent with existing naming scheme. ok otto@ djm@
* introduce HonorCipherOrder to use the server's order of preference of ciphersotto2013-07-115-3/+23
| | | | ok djm@ guenther@
* allow httpd to build if sslv2 is disabled, ok guenther@sthen2012-07-071-5/+2
|
* adapt to API changes in OpenSSL-1.0.0adjm2010-10-011-5/+5
|
* Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->krw2010-05-101-1/+1
| | | | | 'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
* could write one word too far, found by parfait; ok millertderaadt2009-12-141-1/+1
|
* adapt to API changes in OpenSSL 0.9.8hdjm2008-09-061-1/+1
|
* more negotation -> negotiation; ok sthen@martynas2008-07-222-4/+4
|
* Make the proxy module work with https again by allowing the destinationmbalmer2008-07-041-2/+6
| | | | | | | | port to be set in the config file instead of using HTTP_DEFAULT_PORT in all cases. Prevent a segfault that would happen when the SSL connection from the proxy fails. Problem found and analyzed by Mischa Diehm; fix by me.
* grammar fixes; from Jochem Kossen, system/5822;jmc2008-05-271-13/+13
| | | | ok henning
* Add support for IPv6 while keeping the default at IPv4 to not breakmbalmer2008-05-092-2/+14
| | | | | | | | | | | | existing installations. See the documentation for the IPv6 related configuration. This changes the module ABI since addresses are now struct addrinfo. This has been tested by many people and run on production machines for several months. feedback many, ok todd
* fix yacc/lex parallel file generationespie2007-11-241-1/+11
|
* 'expresion' -> 'expression'. Reported by Jung on tech@.krw2007-10-141-2/+2
|
* paranoid snprintf length calculation to avoid a possible bufferpvalchev2007-06-011-1/+1
| | | | | overflow in SSL session id parsing (by reaching a negative size arg) ok henning
* Fix pr 5073, httpd/mod_ssl can leak file descriptors in thebeck2006-04-131-2/+6
| | | | | | | | | case where an ssl connection is not found in the scache dbm Reported by, and fix suggested by Darrin Chandler <darrin@puffy.asicommunications.com> testing by me, ok henning@
* rip out bundled dbm, we've always used our dbmhenning2006-04-045-1140/+0
| | | | From: Daniel Ouellet <daniel@presscom.net>
* ensure that renegotiation is performed for a transition from "SSLVerifyClientniallo2005-09-081-2/+2
| | | | | | | | optional" to "SSLVerifyClient require" fixes CAN-2005-2700 ok henning@, "go for it" deraadt@
* Fix scoping error in fatal error check during passphrase/privkey handling.aaron2005-02-171-2/+2
| | | | henning@, otto@, robert@ ok
* Don't close the dbm until after we have copied the datum retrieved by theaaron2005-02-131-1/+2
| | | | | | fetch into a local buffer. Adapted from r1.10 of the same file in Apache CVS. henning@ ok
* cleanup and unifdef'ing, no change in object fileshenning2005-02-092-5/+1
| | | | work by Daniel Ouellet <daniel@presscom.net>
* kill more dead code, mostly inside #ifdef SOMENONSENSEONSTUPIDOSEShenning2004-12-0612-222/+4
| | | | | | joint work by Michael Knudsen <e@molioner.dk> and Daniel Ouellet <daniel@presscom.net> with my input no change in binaries
* Redirected to /dev/nullhenning2004-12-021-133/+0
|
* big time httpd cleanuphenning2004-12-0214-342/+1
| | | | | | this diff removes a lot of #ifdef'd stuff that is irrelevant for us. done by Daniel Ouellet after my advice. tested by many, ok miod@
* merge changes from mod_ssl 2.8.20, in particular a fix for CAN-2004-0885henning2004-10-202-2/+24
|
* get changes from mod_ssl 2.8.18:henning2004-06-103-53/+10
| | | | | | | | | | | *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. (CVE CAN-2004-0488). *) Handle the case of OpenSSL retry requests after interrupted system calls during the SSL handshake phase. *) Remove some unused functions.
* Use arc4random(3) to compute random numbers, instead of using rand()otto2004-05-161-14/+6
| | | | | | | to produce a double, snprintf()ing that into a buffer and then converting the string to an int with atoi(). ok millert@ henning@
* merge apache 1.3.29 and mod_ssl 2.8.16henning2003-11-1735-45/+51
| | | | ok brad@
* chroot handling for SSLCertificateChainFile, problem found and fix tested byhenning2003-10-021-1/+2
| | | | Sandor Palfy <netchan@cotse.net>
* mergehenning2003-08-218-21/+56
|
* oupsie, error in code we don't compilehenning2003-07-081-1/+1
| | | | found bu david
* various format string cleanups; tedu okderaadt2003-06-011-1/+1
|
* use RSA key blinding code from mod_ssl 2.8.13. differences to our own fixhenning2003-03-191-3/+3
| | | | | that was already in are purely cosmetical, but this will make the future merge of mod_ssl 2.8.13 easier.
* missing ap_server_strip_chroot()henning2003-03-151-6/+9
|
* RSA blinding for private keys here too.ho2003-03-141-0/+10
|
* Add RSA blinding for private keys. markus@ ok.ho2003-03-141-1/+15
|
* kill unused #define which was a workaround with old OpenSSL versionshenning2002-11-181-4/+0
| | | | from David Krause, Thanks!
* kill duplicate int retry; from David Krause, Thanks!henning2002-11-181-2/+2
|
* merge mod-ssl 2.8.12henning2002-10-283-4/+5
| | | | | fixes a cross site scripting bug fixes 2 off-by-ones
* merge apache 1.3.27 and mod_ssl 2.8.11henning2002-10-076-6/+21
|
* don't try to recheck the pathes to server.crt and .key once chrootedhenning2002-07-221-2/+2
| | | | makes graceful restarts work when running SSL.
* don't try to find a "suitable" bourne shell for subcommands, just use ourhenning2002-07-191-8/+1
| | | | | | /bin/sh, it is fine. Sam Smith <S@mSmith.net> reported a breakage in case bash in installed, and dhartmei@ analyzed, as far as I can see from the old mail sam forwarded me.
* mergehenning2002-07-196-21/+57
|
* don't try things we are not able to do if chrooted on graceful restarts.henning2002-07-151-2/+4
| | | | this does not mean a chrooted httpd survives a graceful restart (yet).
* do not let the group access the semderaadt2002-07-111-1/+1
|
* apache chroot and privilege drop.henning2002-07-093-3/+17
| | | | | | | | | | httpd will chroot itself into ServerRoot (/var/www) and drop root privileges now. This is enabled by default. Make sure to read httpd(8). help deraadt@ ssl mutex fixes beck@ "commit" deraadt@
* fix off by one error; submited by Jedi/Sector One <j@pureftpd.org>fgsch2002-06-231-1/+2
| | | | via pr/2767.
* Tweak to make this work with OpenSSL 0.9.7beck2002-05-151-0/+4
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.